Secure exchange of session tokens for claims-based tokens in an extensible system
Abstract
A method of securely exchanging a session token for a claims-based token by a plug-in integrated into an extensible system includes the steps of: transmitting, to an extensible system server of the extensible system, the session token and a request for a first claims-based token that corresponds to the session token and that is cryptographically signed by an authentication server; acquiring, from the extensible system server, the first claims-based token; transmitting, to the authentication server, the first claims-based token and a request for a second claims-based token; and receiving, from the authentication server, the second claims-based token, wherein the second claims-based token is cryptographically signed by the authentication server, and wherein if the second claims-based token is transmitted to a resource provider server hosting a resource provider service, the resource provider service performs a requested operation on behalf of an interactive user of the extensible system.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A method of securely exchanging a session token for a claims-based token by a plug-in integrated into an extensible computer system to enable the plug-in to authenticate with a resource provider service that performs operations for an interactive user of the extensible computer system, the method comprising:
transmitting, to a host system server of the extensible computer system, the session token and a request for a first claims-based token that corresponds to the session token;
acquiring, from the host system server, the first claims-based token, wherein the first claims-based token is cryptographically signed by an authentication server, and wherein the first claims-based token is delegated by the authentication server to a service user of the host system server, the service user of the host system server operating on behalf of the interactive user;
transmitting, to the authentication server, the first claims-based token and a request for a second claims-based token; and
receiving, from the authentication server, the second claims-based token, wherein the second claims-based token is cryptographically signed by the authentication server, wherein the second claims-based token is delegated by the authentication server to a service user of the plug-in, the service user of the plug-in operating on behalf of the interactive user, and wherein the cryptographic signing of the second claims-based token and the delegation of the second claims-based token to the plug-in enable the plug-in to use the second claims-based token to authenticate with the resource provider service to make an application programming interface (API) call requesting the resource provider service to perform a requested operation on behalf of the interactive user.
2. The method of claim 1 , further comprising cryptographically signing the request for the first claims-based token.
3. The method of claim 1 , wherein acquiring the first claims-based token comprises retrieving the first claims-based token from a uniform resource locator (URL) configured for a webhook.
4. The method of claim 1 , further comprising receiving the session token from a device of the interactive user.
5. The method of claim 4 , further comprising:
receiving, from the device, a request to perform the operation;
transmitting, to the resource provider service, the API call, including the second claims-based token, to perform the operation; and
receiving, from the resource provider service, a result of performing the operation.
6. The method of claim 5 , further comprising cryptographically signing the API call before transmitting the API call to the resource provider service.
7. A non-transitory computer readable medium comprising instructions that are executable in an extensible computer system, wherein the instructions when executed cause the extensible computer system to carry out a method of securely exchanging a session token for a claims-based token by a plug-in integrated into the extensible computer system to enable the plug-in to authenticate with a resource provider service that performs operations on behalf of an interactive user of the extensible computer system, said method comprising:
transmitting, to a host system server of the extensible computer system, the session token and a request for a first claims-based token that corresponds to the session token;
acquiring, from the host system server, the first claims-based token, wherein the first claims-based token is cryptographically signed by an authentication server, and wherein the first claims-based token is delegated by the authentication server to a service user of the host system server, the service user of the host system server operating on behalf of the interactive user;
transmitting, to the authentication server, the first claims-based token and a request for a second claims-based token; and
receiving, from the authentication server, the second claims-based token, wherein the second claims-based token is cryptographically signed by the authentication server, wherein the second claims-based token is delegated by the authentication server to a service user of the plug-in, the service user of the plug-in operating on behalf of the interactive user, and wherein the cryptographic signing of the second claims-based token and the delegation of the second claims-based token to the plug-in enable the plug-in to use the second claims-based token to authenticate with the resource provider service to make an application programming interface (API) call requesting the resource provider service to perform a requested operation on behalf of the interactive user.
8. The non-transitory computer readable medium of claim 7 , the method further comprising cryptographically signing the request for the first claims-based token.
9. The non-transitory computer readable medium of claim 7 , wherein acquiring the first claims-based token comprises retrieving the first claims-based token from a uniform resource locator (URL) configured for a webhook.
10. The non-transitory computer readable medium of claim 8 , the method further comprising receiving the session token from a device of the interactive user.
11. The non-transitory computer readable medium of claim 10 , the method further comprising:
receiving, from the device, a request to perform the operation;
transmitting, to the resource provider service, the API call, including the second claims-based token, to perform the operation; and
receiving, from the resource provider service, a result of performing the operation.
12. The non-transitory computer readable medium of claim 11 , the method further comprising cryptographically signing the API call before transmitting the API call to the resource provider service.
13. An extensible computer system comprising:
an authentication server;
a host system server; and
a plug-in server hosting a plug-in that is integrated into the extensible computer system and that is to authenticate with a resource provider service that performs operations for an interactive user of the extensible computer system, wherein the plug-in server runs on a hardware platform that includes a processor and memory, and the processor is configured to execute instructions from the memory to:
transmit, to the host system server, a session token and a request for a first claims-based token that corresponds to the session token;
acquire, from the host system server, the first claims-based token, wherein the first claims-based token is cryptographically signed by the authentication server, and wherein the first claims-based token is delegated by the authentication server to a service user of the host system server, the service user of the host system server operating on behalf of the interactive user;
transmit, to the authentication server, the first claims-based token and a request for a second claims-based token; and
receive, from the authentication server, the second claims-based token, wherein the second claims-based token is cryptographically signed by the authentication server, wherein the second claims-based token is delegated by the authentication server to a service user of the plug-in, the service user of the plug-in operating on behalf of the interactive user, and wherein the cryptographic signing of the second claims-based token and the delegation of the second claims-based token to the plug-in enable the plug-in to use the second claims-based token to authenticate with the resource provider service to make an application programming interface (API) call requesting the resource provider service to perform a requested operation on behalf of the interactive user.
14. The extensible computer system of claim 13 , wherein the plug-in server is further configured to cryptographically sign the request for the first claims-based token.
15. The extensible computer system of claim 13 , wherein acquiring the first claims-based token comprises retrieving the first claims-based token from a uniform resource locator (URL) configured for a webhook.
16. The extensible computer system of claim 13 , wherein the plug-in server receives the session token from a device of the interactive user.
17. The extensible computer system of claim 16 ,
wherein the plug-in server receives, from the device, a request to perform the operation, and
wherein the plug-in server is further configured to:
transmit, to the resource provider service, the API call, including the second claims-based token, to perform the operation, and
receive, from the resource provider service, a result of performing the operation.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.